diff options
| author | Li Wang <li.wang@windriver.com> | 2020-12-03 05:46:30 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-12-18 23:01:48 +0000 |
| commit | 9a5ad5f02e4455068437ce770e97f50108d25153 (patch) | |
| tree | 38919543abd46ab2c0d651b17ebabe8363242c16 | |
| parent | 1153cc59191961d0fe51815186f18ce1ef5e21cb (diff) | |
| download | poky-9a5ad5f02e4455068437ce770e97f50108d25153.tar.gz | |
qemu: CVE-2020-25624
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-25624
backport patch from:
https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058
(From OE-Core rev: af9e9945ac81885421a6bb8432184a2bd1a3efff)
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 88d05be28da522fb390ee24f2871a113adf4366e)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch | 101 |
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index bbe2a39755..274c855d35 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 34 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ | 34 | file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ |
| 35 | file://CVE-2020-24352.patch \ | 35 | file://CVE-2020-24352.patch \ |
| 36 | file://CVE-2020-29129-CVE-2020-29130.patch \ | 36 | file://CVE-2020-29129-CVE-2020-29130.patch \ |
| 37 | file://CVE-2020-25624.patch \ | ||
| 37 | " | 38 | " |
| 38 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 39 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 39 | 40 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch new file mode 100644 index 0000000000..7631bab39f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624.patch | |||
| @@ -0,0 +1,101 @@ | |||
| 1 | From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 3 | Date: Tue, 15 Sep 2020 23:52:58 +0530 | ||
| 4 | Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables | ||
| 5 | |||
| 6 | While servicing the OHCI transfer descriptors(TD), OHCI host | ||
| 7 | controller derives variables 'start_addr', 'end_addr', 'len' | ||
| 8 | etc. from values supplied by the host controller driver. | ||
| 9 | Host controller driver may supply values such that using | ||
| 10 | above variables leads to out-of-bounds access issues. | ||
| 11 | Add checks to avoid them. | ||
| 12 | |||
| 13 | AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0 | ||
| 14 | READ of size 2 at 0x7ffd53af76a0 thread T0 | ||
| 15 | #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734 | ||
| 16 | #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180 | ||
| 17 | #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214 | ||
| 18 | #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257 | ||
| 19 | #4 timerlist_run_timers ../util/qemu-timer.c:572 | ||
| 20 | #5 qemu_clock_run_timers ../util/qemu-timer.c:586 | ||
| 21 | #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672 | ||
| 22 | #7 main_loop_wait ../util/main-loop.c:527 | ||
| 23 | #8 qemu_main_loop ../softmmu/vl.c:1676 | ||
| 24 | #9 main ../softmmu/main.c:50 | ||
| 25 | |||
| 26 | Reported-by: Gaoning Pan <pgn@zju.edu.cn> | ||
| 27 | Reported-by: Yongkang Jia <j_kangel@163.com> | ||
| 28 | Reported-by: Yi Ren <yunye.ry@alibaba-inc.com> | ||
| 29 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
| 30 | Message-id: 20200915182259.68522-2-ppandit@redhat.com | ||
| 31 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
| 32 | |||
| 33 | Upstream-Status: Backport | ||
| 34 | CVE: CVE-2020-25624 | ||
| 35 | [https://git.qemu.org/?p=qemu.git;a=commit;h=1328fe0c32d5474604105b8105310e944976b058] | ||
| 36 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
| 37 | --- | ||
| 38 | hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++-- | ||
| 39 | 1 file changed, 22 insertions(+), 2 deletions(-) | ||
| 40 | |||
| 41 | diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c | ||
| 42 | index 1e6e85e..9dc5910 100644 | ||
| 43 | --- a/hw/usb/hcd-ohci.c | ||
| 44 | +++ b/hw/usb/hcd-ohci.c | ||
| 45 | @@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
| 46 | } | ||
| 47 | |||
| 48 | start_offset = iso_td.offset[relative_frame_number]; | ||
| 49 | - next_offset = iso_td.offset[relative_frame_number + 1]; | ||
| 50 | + if (relative_frame_number < frame_count) { | ||
| 51 | + next_offset = iso_td.offset[relative_frame_number + 1]; | ||
| 52 | + } else { | ||
| 53 | + next_offset = iso_td.be; | ||
| 54 | + } | ||
| 55 | |||
| 56 | if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || | ||
| 57 | ((relative_frame_number < frame_count) && | ||
| 58 | @@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
| 59 | } | ||
| 60 | } else { | ||
| 61 | /* Last packet in the ISO TD */ | ||
| 62 | - end_addr = iso_td.be; | ||
| 63 | + end_addr = next_offset; | ||
| 64 | + } | ||
| 65 | + | ||
| 66 | + if (start_addr > end_addr) { | ||
| 67 | + trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr); | ||
| 68 | + return 1; | ||
| 69 | } | ||
| 70 | |||
| 71 | if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) { | ||
| 72 | @@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, | ||
| 73 | } else { | ||
| 74 | len = end_addr - start_addr + 1; | ||
| 75 | } | ||
| 76 | + if (len > sizeof(ohci->usb_buf)) { | ||
| 77 | + len = sizeof(ohci->usb_buf); | ||
| 78 | + } | ||
| 79 | |||
| 80 | if (len && dir != OHCI_TD_DIR_IN) { | ||
| 81 | if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len, | ||
| 82 | @@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) | ||
| 83 | if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) { | ||
| 84 | len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff); | ||
| 85 | } else { | ||
| 86 | + if (td.cbp > td.be) { | ||
| 87 | + trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be); | ||
| 88 | + ohci_die(ohci); | ||
| 89 | + return 1; | ||
| 90 | + } | ||
| 91 | len = (td.be - td.cbp) + 1; | ||
| 92 | } | ||
| 93 | + if (len > sizeof(ohci->usb_buf)) { | ||
| 94 | + len = sizeof(ohci->usb_buf); | ||
| 95 | + } | ||
| 96 | |||
| 97 | pktlen = len; | ||
| 98 | if (len && dir != OHCI_TD_DIR_IN) { | ||
| 99 | -- | ||
| 100 | 2.17.1 | ||
| 101 | |||
